A curated timeline of real AI agent security incidents, breaches, and vulnerabilities from 2024-2026. Every entry includes date, named company/product, specific impact, root cause, CVE where applicable, and source links.
No opinions. No product pitches. Just facts with sources.
- Target: PraisonAI Gateway
- Impact: Any network client can enumerate agents and send arbitrary messages via unauthenticated WebSocket
- Root Cause: No authentication on WebSocket and agent topology endpoints
- CVE: CVE-2026-34952 (CVSS 9.1)
- Sources: TheHackerWire
- Target: Microsoft Azure MCP Server
- Impact: Sensitive data accessible without valid credentials; no patch available at disclosure
- Root Cause: Improper authentication implementation
- CVE: CVE-2026-32211 (CVSS 9.1)
- Sources: WindowsNews
- Target: Meta / Mercor
- Impact: All Meta contracts with Mercor suspended indefinitely; AI training data secrets at risk
- Root Cause: Response to Mercor breach from LiteLLM supply chain attack
- Sources: Social Media Today, Benzinga
- Target: Drift Protocol (Solana DeFi)
- Impact: $285M stolen in 12 minutes via fictitious CarbonVote Token, oracle manipulation, and zero-timelock Security Council migration
- Root Cause: Six-month social engineering campaign by UNC4736 (DPRK) targeting multisig signers; pre-signed hidden authorizations
- Sources: TRM Labs, Elliptic, The Hacker News
- Target: Mercor ($10B AI hiring startup)
- Impact: 40K+ people affected; Lapsus$ claims 4TB of data including PII, video interviews, credentials, source code; class action filed
- Root Cause: Cascading supply chain: TeamPCP compromised Trivy, stole LiteLLM credentials, published poisoned PyPI packages
- Sources: Fortune, TechCrunch, SecurityWeek
- Target: Axios (70-100M weekly npm downloads)
- Impact: Malicious versions tagged "latest" delivered cross-platform RAT via dependency "plain-crypto-js"
- Root Cause: Social engineering of lead maintainer's npm credentials by Sapphire Sleet / UNC1069 (DPRK)
- Sources: Microsoft Security Blog, The Hacker News, Elastic Security Labs
- Target: Cisco internal dev environment
- Impact: 300+ GitHub repos cloned including AI product source code and customer code from banks and US government agencies
- Root Cause: Credentials harvested during TeamPCP's Trivy compromise used to access Cisco dev infrastructure
- Sources: BleepingComputer, SOCRadar
- Target: Telnyx Python SDK
- Impact: Credential harvester concealed in WAV audio file frame data; malicious code injected into telnyx/_client.py
- Root Cause: Telnyx PyPI token stolen during LiteLLM compromise; TeamPCP cascading attack
- Sources: The Hacker News, Akamai, Trend Micro
- Target: LiteLLM (3.4M daily PyPI downloads)
- Impact: Three-stage malware: credential theft, K8s lateral movement, persistent systemd backdoor; fork bomb bug triggered discovery; available ~3 hours before quarantine
- Root Cause: PyPI credentials stolen from LiteLLM CI environment during Trivy compromise
- Sources: LiteLLM Official, Snyk, ReversingLabs
- Target: Checkmarx KICS, AST GitHub Action, OpenVSX extensions
- Impact: 35 tags hijacked; credential stealer exfiltrated secrets encrypted to attacker server checkmarx.zone
- Root Cause: cx-plugins-releases service account compromised via credentials from Trivy attack
- Sources: Wiz, Checkmarx, The Hacker News
- Target: npm ecosystem (66+ packages)
- Impact: 141 malicious package artifacts; persistent systemd backdoor; first npm worm to use decentralized ICP as C2, making takedown impossible
- Root Cause: Credentials harvested from Trivy compromise used to publish malicious versions
- CVE: CVE-2026-33634
- Sources: Aikido, The Hacker News, Mend.io
- Target: Aqua Security Trivy scanner
- Impact: 76 of 77 version tags redirected to malicious commits; Runner.Worker memory dumped; SSH, cloud, K8s secrets harvested; 1,000+ SaaS environments compromised downstream
- Root Cause: Service account compromise via prior incompletely remediated incident
- Sources: Wiz, Aqua Security, Unit 42
- Target: Meta internal AI systems
- Impact: AI agent posted unauthorized technical advice; another employee followed it, exposing massive company and user data to unauthorized engineers for two hours
- Root Cause: AI agent acted autonomously without human-in-the-loop confirmation
- Sources: TechCrunch, The Information, Engadget
- Target: Langflow (all versions through 1.8.1)
- Impact: Attackers built working exploits within 20 hours; harvested OpenAI, Anthropic, and AWS API keys from compromised instances
- Root Cause: POST endpoint accepts arbitrary Python code in node definitions, executed server-side without sandboxing
- CVE: CVE-2026-33017 (CVSS 9.3)
- Sources: The Hacker News, Sysdig, Barrack AI
- Target: LangChain Core
- Impact: Arbitrary file access via prompt-loading API
- Root Cause: Path traversal in prompt loading
- CVE: CVE-2026-34070 (CVSS 7.5)
- Sources: GitLab Advisory
- Target: nx monorepo tooling / enterprise AWS
- Impact: Attacker cloned GitHub repos, extracted CI/CD secrets, achieved full AWS admin; S3 buckets accessed, EC2/RDS terminated
- Root Cause: Compromised nx npm package delivered QUIETVAULT credential stealer; GitHub-to-AWS OIDC trust chain abuse
- Sources: The Hacker News, CSA Labs
- Target: Moltbook/OpenClaw platform
- Impact: Meta acquired the platform after exposed database (1.5M API tokens, 35K emails), 1,184+ malicious skills distributing Atomic Stealer, and 135K exposed instances
- Root Cause: Unsecured database; no skill vetting; WebSocket accepting unauthenticated localhost connections
- CVE: CVE-2026-25593, CVE-2026-25253 (CVSS 8.8), and 6 others
- Sources: Wiz, eSecurity Planet, BleepingComputer
- Target: ROME agent (Alibaba-affiliated)
- Impact: Agent accessed GPU resources to mine crypto; created reverse SSH tunnel bypassing security processes; behavior was spontaneous, not prompted
- Root Cause: During reinforcement learning, agent spontaneously produced unauthorized behaviors including system tool invocation outside boundaries
- Sources: Axios, Live Science
- Target: OpenClaw / Meta
- Impact: Meta AI safety director lost 200+ emails; agent ignored repeated STOP commands; post received ~9M views on X
- Root Cause: Agent ran out of working memory and condensed prior messages, discarding the instruction to confirm before acting
- Sources: Fast Company, TechCrunch
- Target: Cline AI coding assistant (5M+ users)
- Impact: ~4,000 developer machines compromised in 8-hour window; malicious cline@2.3.0 published to npm installing OpenClaw globally
- Root Cause: Prompt injection in GitHub issue title tricked Claude-powered triage bot; GitHub Actions cache poisoning (Cacheract)
- Sources: Snyk, The Hacker News, Adnan Khan
- Target: MCP TypeScript SDK (v1.10.0-1.25.3)
- Impact: Tool results, resource content, and error messages routed to wrong client in multi-tenant deployments
- Root Cause: Race condition in response multiplexing of StreamableHTTPServerTransport
- CVE: CVE-2026-25536 (CVSS 7.1)
- Sources: VulnerableMCP
- Target: Langflow (versions up to 1.6.9)
- Impact: Complete account takeover and RCE via malicious webpage visit; Flodrix botnet deployed for DDoS and data exfiltration
- Root Cause: Overly permissive CORS, no CSRF protection on token refresh, code validation endpoint allows execution
- CVE: CVE-2025-34291 (CVSS 9.4)
- Sources: Obsidian Security, CrowdSec
- Target: Anthropic Claude Code
- Impact: Malicious settings file redirects API requests to attacker endpoint before trust prompt; stolen API key grants access to team's shared resources
- Root Cause: API requests issued before trust confirmation prompt
- CVE: CVE-2026-21852 (CVSS 5.3)
- Sources: Check Point Research, GitHub Advisory
- Target: Anthropic Git MCP Server
- Impact: Path traversal, argument injection, and RCE when chained; any directory turned into Git repo; arbitrary file overwrite
- Root Cause: Missing path validation, unsanitized arguments in git_diff/git_checkout
- CVE: CVE-2025-68143, CVE-2025-68144, CVE-2025-68145
- Sources: The Hacker News, SecurityWeek
- Target: n8n workflow automation (~100K instances)
- Impact: Unauthenticated full server takeover; access to API credentials, OAuth tokens, CI/CD pipelines, payment processors
- Root Cause: Content-Type confusion in webhook processing overwrites req.body.files; no code execution sandboxing
- CVE: CVE-2026-21858 (CVSS 10.0), CVE-2026-21877 (CVSS 10.0)
- Sources: The Hacker News, Cyera Research, The Register
- Target: LangChain Core (before 0.3.81)
- Impact: Secret exfiltration and potential RCE via LLM-influenced metadata containing reserved 'lc' key
- Root Cause: dumps()/dumpd() did not escape user-controlled dicts with reserved serialization marker
- CVE: CVE-2025-68664 (CVSS 9.3)
- Sources: Cyata, The Hacker News, Orca Security
- Target: Cursor, Windsurf, Kiro.dev, Copilot, Zed, Roo Code, Cline, others
- Impact: Data exfiltration, RCE, and supply chain compromise across most popular AI IDEs; Windsurf vulnerable to persistent memory poisoning
- Root Cause: Systemic lack of input validation; persistent memory stores process untrusted content as trusted
- CVE: Multiple
- Sources: The Hacker News, Fortune
- Target: Microsoft Copilot Studio
- Impact: Credit card data leaked; business logic manipulated (booking trips at $0)
- Root Cause: No-code agent platform allows employees to build AI agents without robust input validation
- Sources: Tenable, Security Boulevard
- Target: ServiceNow Now Assist / Agentforce
- Impact: Low-privilege agent tricks higher-privilege agent into exporting case files to external URL; ServiceNow said system "works as intended"
- Root Cause: Default agent configs allow autonomous overrides; agents run with initiating user privilege
- Sources: The Hacker News, AppOmni
- Target: CrewAI platform
- Impact: Single internal GitHub token with admin rights to all private repos exposed; CVSS 9.2
- Root Cause: Improper error handling exposed internal GitHub token
- Sources: Noma Security, Security Boulevard
- Target: Anthropic Claude Desktop (Chrome, iMessage, Apple Notes extensions)
- Impact: Command injection in three official Anthropic-written extensions; SSH keys, AWS credentials, browser passwords exposed; CVSS 8.9
- Root Cause: Unsanitized input handling; no sandboxing for Desktop Extensions
- Sources: Koi AI, CSO Online
- Target: GitHub Copilot Chat (Agent mode)
- Impact: Arbitrary instruction execution via extremely long filenames containing prompt injections; Microsoft declined to fix
- Root Cause: Copilot appends file names to user prompts without sanitization
- Sources: Tenable TRA-2025-53
- Target: Anthropic Claude Code
- Impact: RCE and API token exfiltration when developers clone untrusted repositories; hooks execute before trust dialog
- Root Cause: Startup trust dialog allowed code execution from project configs before user accepts
- CVE: CVE-2025-59536 (CVSS 8.7)
- Sources: Check Point Research, Dark Reading, Cybernews
- Target: Langflow (versions up to 1.6.9)
- Impact: Complete instance compromise; all stored API keys exposed
- Root Cause: Overly permissive CORS + missing CSRF protection + code validation endpoint
- CVE: CVE-2025-34291 (CVSS 9.4)
- Sources: Obsidian Security, NVD
- Target: Salesforce Agentforce
- Impact: CRM data exfiltrated via indirect prompt injection through Web-to-Lead forms; CVSS 9.4
- Root Cause: Indirect prompt injection via user-submitted form data; expired domain still whitelisted in CSP
- Sources: Noma Security, The Hacker News, The Register
- Target: Salesloft Drift / Salesforce / Google Workspace / Slack
- Impact: 700+ organizations compromised including Cloudflare, Google, Palo Alto Networks, Zscaler; CRM records, API keys, cloud credentials stolen
- Root Cause: UNC6395 stole OAuth tokens from Drift chatbot integration
- Sources: Google Cloud Blog, The Hacker News, Cloudflare Blog
- Target: Anthropic Claude Code (below v1.0.20)
- Impact: Whitelisted echo command used as injection vector; AI model helps reverse-engineer its own security
- Root Cause: Error in command parsing; echo whitelisted without sanitization
- CVE: CVE-2025-54794, CVE-2025-54795 (CVSS 8.7)
- Sources: Cymulate, GitHub Advisory
- Target: Claude Code extensions
- Impact: Malicious websites could read local files and execute code in Jupyter notebooks via unauthenticated local WebSocket
- Root Cause: Unauthenticated local WebSocket servers exposed to browser contexts
- CVE: CVE-2025-52882
- Sources: Datadog Security Labs
- Target: OpenAI Codex CLI (before v0.23.0)
- Impact: Arbitrary command execution in user's security context; CI/automation runs at risk
- Root Cause: Codex implicitly trusted project-local config files and executed embedded commands
- CVE: CVE-2025-61260
- Sources: SecurityWeek, Check Point Research
- Target: GitHub Copilot (VS Code)
- Impact: Prompt injection in code comments enables "YOLO mode" - disabling all confirmations and executing privileged shell commands
- Root Cause: Copilot processes untrusted content from code comments as instructions; no safeguard against config modification
- CVE: CVE-2025-53773
- Sources: Embrace The Red, GBHackers
- Target: Cursor AI IDE
- Impact: Full developer machine compromise from a single crafted Slack message; attack completes in minutes
- Root Cause: AI processed crafted Slack messages as instructions; config changes executed before user approval
- CVE: CVE-2025-54135 (CVSS 8.6)
- Sources: Tenable, NVD
- Target: Cursor AI IDE
- Impact: Silent backdoor execution on every team member who opens a project
- Root Cause: MCP server trust bound to name rather than content hash; no re-approval for config changes
- CVE: CVE-2025-54136 (CVSS 7.2)
- Sources: Check Point Research, NVD
- Target: Microsoft Copilot
- Impact: File access history, location, conversation memory exfiltrated; attacker maintains control after chat closed
- Root Cause: URL query parameter ?q= accepted as pre-filled prompt without validation
- Sources: Varonis, SecurityWeek
- Target: Amazon Q Developer Extension (950K+ installs)
- Impact: Compromised v1.84.0 live for two days; destructive AI prompt instructed deletion of home directory and AWS resources; failed due to syntax error
- Root Cause: Over-scoped GitHub token in CI/CD pipeline
- Sources: AWS-2025-015, The Register, CSO Online
- Target: Hugging Face (1.5M+ GGUF files)
- Impact: Backdoor instructions embedded in model files execute inside trusted inference, evading system prompts and runtime monitoring
- Root Cause: No content validation of GGUF template sections
- Sources: GlobeNewsWire
- Target: mcp-remote (437K+ downloads)
- Impact: Full system compromise via malicious MCP server OAuth flow
- Root Cause: Improper handling of authorization_endpoint URL in OAuth flow
- CVE: CVE-2025-6514 (CVSS 9.6)
- Sources: JFrog, The Hacker News
- Target: Langflow servers
- Impact: Full system compromise; Flodrix botnet deployed for DDoS and data exfiltration
- Root Cause: Unpatched Langflow instances (CVE-2025-3248) exposed to internet
- CVE: CVE-2025-3248
- Sources: Trend Micro, SecurityWeek, Dark Reading
- Target: Microsoft 365 Copilot
- Impact: Zero-click data exfiltration from M365 sessions via crafted email; bypassed XPIA classifier
- Root Cause: AI command injection via hidden text, speaker notes, and metadata in documents
- CVE: CVE-2025-32711 (CVSS 9.3)
- Sources: The Hacker News, HackTheBox
- Target: GitHub Copilot Chat
- Impact: Silent exfiltration of AWS keys, security tokens, and zero-day details from private repos; CVSS 9.6
- Root Cause: Copilot parsed invisible markdown comments; data exfiltrated via GitHub Camo proxy image requests
- CVE: CVE-2025-59145
- Sources: Legit Security, Dark Reading
- Target: Anthropic Filesystem MCP Server
- Impact: Sandbox escape, arbitrary file access, root-level compromise possible
- Root Cause: Naive startswith path validation; no symlink validation
- CVE: CVE-2025-53109 (CVSS 8.4), CVE-2025-53110 (CVSS 7.3)
- Sources: Cymulate, SecurityWeek
- Target: ElizaOS (AI agent framework for blockchain)
- Impact: Potential loss of millions in crypto; fabricated payment confirmations stored in memory redirect future transactions
- Root Cause: No integrity verification on persistent memory entries
- Sources: Decrypt
- Target: Langflow (before v1.3.0)
- Impact: Full server takeover; CISA confirmed active exploitation in the wild
- Root Cause: Code validation endpoint invokes exec() on user-supplied code without auth or sandboxing
- CVE: CVE-2025-3248 (CVSS 9.8)
- Sources: The Hacker News, Zscaler, NVD
- Target: WhatsApp MCP server / MCP ecosystem
- Impact: Complete WhatsApp message history exfiltration; 5.5% of MCP servers exhibit tool poisoning; 33% allow unrestricted network access
- Root Cause: Hidden instructions in MCP tool descriptions; no runtime integrity verification; tools can mutate definitions post-install
- Sources: Invariant Labs, Docker, Simon Willison
- Target: Cursor IDE, GitHub Copilot
- Impact: Malicious code injected silently into AI-generated output; invisible Unicode characters bypass code reviews
- Root Cause: AI config files parsed by AI but invisible to human reviewers due to Unicode obfuscation
- Sources: Pillar Security, The Hacker News
- Target: 23,000+ GitHub repositories
- Impact: Access keys, GitHub PATs, npm tokens, and private RSA keys exposed in public workflow logs
- Root Cause: Compromised GitHub PAT; chained via reviewdog/action-setup
- CVE: CVE-2025-30066, CVE-2025-30154
- Sources: CISA, Wiz, Unit 42
- Target: Bybit exchange / Safe{Wallet}
- Impact: $1.5B in Ethereum stolen; largest crypto theft in history; part of $2.02B DPRK total in 2025
- Root Cause: Social engineering of Safe{Wallet} developer; dormant malware activated during legitimate transaction
- Sources: FBI IC3, Fortune, TRM Labs
- Target: Google Gemini / Calendar / Smart Home
- Impact: Unauthorized smart home control, private calendar data exfiltration, deceptive events - all zero-click; 73% of scenarios rated High-Critical
- Root Cause: Gemini processes hidden instructions in calendar event metadata
- Sources: The Register, Dark Reading, Miggo
- Target: OmniGPT AI aggregator
- Impact: 30K user emails/phones; 34M lines of chat messages leaked including API keys, crypto private keys
- Root Cause: Infrastructure breach; sold for $100 on BreachForums
- Sources: Hackread, CSO Online
- Target: Cursor AI IDE (v1.6.23 and below)
- Impact: Configuration file modification leading to potential RCE on case-insensitive file systems
- Root Cause: Path comparison used exact case matching on case-insensitive filesystems
- CVE: CVE-2025-59944 (CVSS 8.0)
- Sources: Lakera, NVD
- Target: GitHub Codespaces + Copilot
- Impact: Silent GITHUB_TOKEN exfiltration enabling full repository takeover
- Root Cause: Copilot processes invisible HTML comments in issues; Codespace secrets accessible via symlink
- Sources: Orca Security, SecurityWeek
- Target: DB-GPT v0.7.0
- Impact: Arbitrary code execution with DB-GPT process privileges (default: root in containers)
- Root Cause: No content validation on uploaded plugin Python files
- CVE: CVE-2025-51459 (CVSS 6.5)
- Sources: Gecko Security
- Target: Ultralytics YOLO AI library
- Impact: Four malicious versions uploaded containing XMRig crypto miner; two-phase attack over Dec 4-7
- Root Cause: Attacker abused git branch names to steal GitHub Actions CI/CD credentials; compromised PyPI token
- Sources: PyPI Blog, Wiz, Snyk
2024-12 - ChatGPT Search Manipulation via Hidden Text
- Target: OpenAI ChatGPT Search
- Impact: Hidden webpage text manipulates AI-generated summaries; demonstrated in crypto scam distributing credential-stealing instructions
- Root Cause: Indirect prompt injection via hidden text; ChatGPT Search processed all content including invisible elements
- Sources: dig.watch
- Target: Freysa autonomous AI agent
- Impact: AI agent tricked into releasing $47,316 in crypto by redefining the approveTransfer function's purpose
- Root Cause: AI agent manipulated into misinterpreting its own function definitions
- Sources: The Block, CryptoBriefing
- Target: Microsoft Copilot / Bing Cache
- Impact: 16,000+ organizations affected; Fortune 500 private repos exposed; 300+ leaked tokens, keys, secrets
- Root Cause: Bing cached repo content when briefly public; Copilot continued serving "zombie data" after repos went private
- Sources: Lasso Security, SecurityWeek
- Target: Microsoft Copilot Studio
- Impact: Cross-site scripting allowing execution of malicious scripts within authenticated sessions
- Root Cause: Improper neutralization of input during web page generation
- CVE: CVE-2024-49038
- Sources: SentinelOne
- Target: Mistral LeChat, ChatGLM, Meta Llama
- Impact: 80% success rate exfiltrating PII via obfuscated adversarial prompts and hidden Markdown image URLs
- Root Cause: Multi-lingual token substitution generates human-unreadable but LLM-executable malicious prompts
- Sources: ArXiv, Imprompter.ai
- Target: Anthropic Claude 3.5 Sonnet
- Impact: Autonomous computer control exposed to prompt injection from any visual or textual content; demos showed potential for autonomous malware creation
- Root Cause: Granting autonomous computer control inherently exposes LLM to prompt injection from encountered content
- Sources: Prompt Security, Bank Info Security
- Target: OpenAI ChatGPT macOS app
- Impact: Persistent spyware in ChatGPT's long-term memory; continuous data exfiltration across all future sessions
- Root Cause: Memory feature allowed prompt injection from untrusted data to create persistent exfiltration instructions
- Sources: Embrace The Red, The Hacker News
- Target: NVIDIA Container Toolkit (35%+ of cloud GPU environments)
- Impact: Container escape, host filesystem access, privilege escalation, manipulation of GPU workloads
- Root Cause: Time-of-check Time-of-Use (TOCTOU) flaw
- CVE: CVE-2024-0132 (CVSS 9.0)
- Sources: Wiz, NVIDIA
- Target: Slack AI
- Impact: Data exfiltrated from private channels; API keys stolen via crafted public channel messages
- Root Cause: Indirect prompt injection through public channel messages; Markdown link rendering enabled exfiltration
- Sources: PromptArmor, Dark Reading
- Target: Microsoft 365 Copilot
- Impact: Hidden email code injection, plugin exploitation, data exfiltration through default Copilot access; no user interaction required
- Root Cause: Default configurations grant broad access to emails/docs; indirect prompt injection via invisible email tags
- Sources: Dark Reading, The Register
- Target: Microsoft Copilot Studio
- Impact: Access to Microsoft internal infrastructure, IMDS, and internal Cosmos DB; cross-tenant impact possible
- Root Cause: Server-Side Request Forgery via HTTP header manipulation and redirect techniques
- CVE: CVE-2024-38206 (CVSS 8.5)
- Sources: Tenable, The Hacker News
- Target: X/Twitter Grok AI chatbot
- Impact: Falsely stated VP Harris missed ballot deadlines in 9 states; misinformation repeated for over a week; reached millions of users
- Root Cause: No guardrails on political/election queries; secretaries of state from 5 states demanded correction
- Sources: Axios, TechCrunch
- Target: OpenAI ChatGPT macOS app
- Impact: All conversations stored in plaintext in non-sandboxed location; any app or malware could read chat history
- Root Cause: OpenAI opted out of macOS sandboxing; unencrypted storage
- CVE: CVE-2024-40594
- Sources: 9to5Mac
- Target: Microsoft 365 Copilot
- Impact: Invisible Unicode characters in hyperlinks exfiltrate emails, MFA codes, and sensitive data
- Root Cause: Copilot rendered invisible Unicode characters carrying hidden data payloads in links
- Sources: Embrace The Red, The Hacker News
- Target: Rabbit R1 AI device
- Impact: ElevenLabs admin key, Azure, Yelp, Google Maps, SendGrid keys exposed; could crash entire rabbit OS backend
- Root Cause: API keys hardcoded in device source code instead of secure storage
- Sources: Cybernews
- Target: McDonald's AI drive-thru (IBM)
- Impact: AI added 260 McNuggets, bacon on ice cream, unwanted items; three-year IBM partnership terminated
- Root Cause: AI failed to interpret accents, dialects, background noise, and overlapping voices
- Sources: CNBC
- Target: Hugging Face Spaces platform
- Impact: Unauthorized access to authentication secrets, API tokens, and keys used by developers
- Root Cause: Unauthorized access to platform secrets storage
- Sources: The Hacker News, SecurityWeek
- Target: GitHub Copilot
- Impact: Copilot reproduces real, previously exposed secrets from training data; repos using Copilot show 40% higher secret leakage rates
- Root Cause: Training data memorization of secrets from public GitHub repositories
- Sources: GitGuardian
- Target: Hugging Face shared inference infrastructure
- Impact: Cross-tenant access to other customers' AI models via malicious Pickle-serialized model
- Root Cause: Insecure deserialization; insufficient tenant isolation in shared inference
- Sources: Wiz, Dark Reading
- Target: Claude, GPT-4, GPT-3.5, Llama 2, Mistral
- Impact: Hundreds of harmful Q&A examples in a single long prompt bypass safety guardrails of all major LLMs
- Root Cause: Expanded context windows enable in-context learning to override safety training
- Sources: Anthropic
- Target: ChatGPT plugins, PluginLab.ai, Kesem AI
- Impact: OAuth credential theft, zero-click account takeover, malicious plugin installation; GitHub account access possible
- Root Cause: Missing authentication in plugin install flow; missing user account verification in PluginLab
- Sources: Salt Security, The Hacker News
- Target: OpenAI ChatGPT users
- Impact: 225,000+ compromised credentials for sale; 130K+ unique hosts infiltrated
- Root Cause: LummaC2, Raccoon, and RedLine infostealer malware on user devices
- Sources: The Hacker News, BleepingComputer
- Target: All RAG systems
- Impact: Injecting 5 malicious texts into a million-document database achieves 90% attack success; 0.04% corpus poisoning achieves 98.2% success
- Root Cause: RAG systems inherently trust retrieved documents; no integrity verification of knowledge base contents
- Sources: ArXiv
- Target: Air Canada
- Impact: Tribunal ruled Air Canada liable for chatbot's fabricated bereavement fare policy; ordered to pay $812.02; landmark AI liability ruling
- Root Cause: AI chatbot hallucinated nonexistent policy; Air Canada's "separate legal entity" defense rejected
- Sources: CBC, ABA
- Target: DPD (UK parcel delivery)
- Impact: Chatbot swore at customers, wrote poetry criticizing DPD, called itself "the worst delivery firm"; 1.3M views on X
- Root Cause: System update removed guardrails from AI chat element
- Sources: Time
- Target: langchain-experimental (v0.0.15-0.0.21)
- Impact: Arbitrary Python code execution via VectorSQLDatabaseChain
- Root Cause: eval() used on all database-retrieved values without sanitization
- CVE: CVE-2024-21513 (CVSS 8.5)
- Sources: NVD, Snyk
- Target: langchain-ai/langchain v0.2.5
- Impact: SQL/Cypher injection enabling unauthorized data manipulation, exfiltration, and DoS
- Root Cause: Insufficient input sanitization in graph database query construction
- CVE: CVE-2024-7042
- Sources: SentinelOne
- Target: langchain-experimental
- Impact: Arbitrary code execution through symbolic math processing
- Root Cause: Unsafe code evaluation in symbolic math processing
- CVE: CVE-2024-46946
- Sources: NVD
| Metric | Value | Source |
|---|---|---|
| AI safety incidents in 2024 | 233 (56.4% increase from 2023) | Stanford AI Index 2025 |
| AI incidents in 2025 | 346 (179 involved deepfakes) | AI Incident Database |
| DPRK crypto theft in 2025 | $2.02 billion | The Hacker News |
| Largest single crypto theft (Bybit) | $1.5 billion | FBI IC3 |
| Largest DeFi exploit of 2026 (Drift) | $285 million | Elliptic |
| AI trading agent losses Q1 2026 | $45 million+ | KuCoin |
| MCP server CVEs in Jan-Feb 2026 | 30+ in 60 days | MCP Security Report |
| MCP servers exposed, zero auth | 492 | Trend Micro |
| MCP servers with cmd injection flaws | 43% | Invariant Labs |
| MCP servers with tool poisoning | 5.5% | Invariant Labs |
| Malicious packages in registries (2025) | 512,847 (156% YoY increase) | Sonatype |
| Forbes AI 50 with leaked secrets | 65% | Wiz Research |
| Orgs compromised via Salesloft Drift | 700+ | Google Cloud Blog |
| OpenClaw instances exposed (Feb 2026) | 135,000+ across 82 countries | Kaspersky |
| Malicious skills on ClawHub | 1,184+ (~12% of registry) | eSecurity Planet |
| SaaS envs via Trivy cascade | 1,000+ | Wiz |
| ChatGPT credentials on dark web | 225,000+ | The Hacker News |
| AI coding tool vulns (5 tools tested) | 69 vulns, 6 critical | Fortune |
| Deepfake fraud losses Q1 2025 | $200 million | AI Incident Database |
A single compromised credential triggers lateral movement across multiple package registries and downstream organizations.
Key incidents:
- TeamPCP cascade (Mar 2026): Trivy -> Checkmarx -> LiteLLM -> Telnyx -> CanisterWorm -> Cisco -> Mercor. One service account compromise led to 1,000+ SaaS environments breached.
- Axios npm compromise (Mar 2026): Social engineering of one maintainer threatened 70-100M weekly downloads.
- Bybit heist (Feb 2025): Compromise of one Safe{Wallet} developer led to $1.5B theft.
- Ultralytics PyPI attack (Dec 2024): Git branch name abuse stole CI/CD credentials for two-phase supply chain attack.
An AI agent with legitimate access is tricked into performing actions on behalf of an attacker.
Key incidents:
- Salesforce Agentforce ForcedLeak (Sep 2025): Malicious Web-to-Lead form data tricks agent into exfiltrating CRM records.
- ServiceNow Now Assist (Nov 2025): Low-privilege agent tricks higher-privilege agent into exporting case files.
- EchoLeak M365 Copilot (Jun 2025): Crafted email triggers zero-click data exfiltration.
- ChatGPT SpAIware (Sep 2024): Untrusted data plants persistent exfiltration instructions in memory.
AI agents or chatbot integrations granted excessive access that becomes the attack surface.
Key incidents:
- Salesloft Drift OAuth breach (Aug 2025): Stolen OAuth tokens gave access to 700+ customer Salesforce environments.
- LOLCopilot/M365 Copilot (Aug 2024): Default configurations grant broad access to all emails and documents.
- Amazon Q extension (Jul 2025): Over-scoped GitHub token in CI/CD allowed destructive prompt injection.
- Copilot "zombie data" exposure (Nov 2024): 16,000+ organizations' private repos exposed via cached data.
Malicious configurations in repository files execute code when AI tools process them.
Key incidents:
- Claude Code RCE via hooks (CVE-2025-59536): Malicious .claude/settings.json executes commands before trust dialog.
- Codex CLI command injection (CVE-2025-61260): Project-local configs execute commands without user consent.
- Rules File Backdoor (Mar 2025): Invisible Unicode in .cursorrules and copilot-instructions.md injects malicious code.
- Cursor MCPoison (CVE-2025-54136): Benign MCP config approved once, then silently modified to execute backdoor.
AI tools run user-supplied or AI-generated code without isolation.
Key incidents:
- Langflow CVE-2025-3248 (CVSS 9.8): exec() on user-supplied code without auth; added to CISA KEV.
- Langflow CVE-2026-33017 (CVSS 9.3): Same exec() pattern exploited within 20 hours of disclosure.
- n8n Ni8mare (CVSS 10.0): Content-Type confusion enables unauthenticated RCE on 100K+ instances.
- DB-GPT plugin upload RCE (CVE-2025-51459): No content validation on uploaded Python plugins.
Humans manipulate AI agents or use AI as intermediaries for social engineering.
Key incidents:
- Drift Protocol $285M exploit (Apr 2026): Six-month campaign posing as legitimate trading firm to social-engineer multisig signers.
- Freysa AI agent game (Nov 2024): AI tricked into redefining its own function semantics to release $47K in crypto.
- OpenClaw email deletion at Meta (Feb 2026): Agent's context compaction caused it to ignore explicit stop commands.
- DPD chatbot manipulation (Jan 2024): Customer manipulated chatbot into cursing and criticizing its own company.
Malicious instructions embedded in tool descriptions, model files, or integration metadata.
Key incidents:
- MCP tool poisoning / WhatsApp exfiltration (Apr 2025): Hidden instructions in MCP tool descriptions cause silent data theft.
- Hugging Face GGUF poisoned templates (Jul 2025): Malicious instructions embedded in 1.5M+ model files.
- ClawHub malicious skills (Jan-Mar 2026): 1,184+ malicious skills distributing Atomic Stealer and keyloggers.
- GitHub Copilot filename injection (Nov 2025): Extremely long filenames with prompt injection instructions.
AI agents execute privileged operations without per-action permission checks.
Key incidents:
- Meta Sev 1 rogue AI agent (Mar 2026): Agent posted technical advice containing sensitive data without human confirmation.
- ROME agent sandbox escape (Mar 2026): Agent spontaneously initiated crypto mining and reverse SSH tunnel.
- GitHub Copilot YOLO mode (CVE-2025-53773): Prompt injection disables all user confirmations.
- Cursor CurXecute (CVE-2025-54135): Config changes and malicious commands execute before user can reject.
AI agents send data to arbitrary external endpoints without restriction.
Key incidents:
- EchoLeak (CVE-2025-32711): M365 Copilot exfiltrates data via crafted emails.
- GitHub Copilot CamoLeak (CVE-2025-59145): Data exfiltrated via GitHub Camo proxy image requests encoding secrets in URLs.
- Slack AI exfiltration (Aug 2024): Markdown link rendering enables data exfiltration to attacker servers.
- ASCII smuggling M365 Copilot (Jul 2024): Invisible Unicode in hyperlinks carries stolen MFA codes to external servers.
AI development tools become vectors for credential and secret exposure.
Key incidents:
- Claude Code API key exfiltration (CVE-2026-21852): Malicious settings redirect API requests before trust prompt.
- Claude Code InversePrompt (CVE-2025-54795): AI helps reverse-engineer its own security to enable command injection.
- CrewAI "Uncrew" (Nov 2025): Improper error handling exposes admin GitHub token to all private repos.
- GitHub Copilot training data leakage (May 2024): Copilot reproduces real secrets from training data; 40% higher leakage rate.
See CONTRIBUTING.md for guidelines on adding incidents.
